3f52e2354cdc8ea29241752aa30bc4afdfee7930bc7469cb9b4b478c5952f3ed

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce45c4f43c72f45a57b5b9a78a59ab40N.exe
Size

38KB
MD5

ce45c4f43c72f45a57b5b9a78a59ab40
SHA1

b5c329015b9846fad677ea25052b93d405ede242
SHA256

3f52e2354cdc8ea29241752aa30bc4afdfee7930bc7469cb9b4b478c5952f3ed
SHA512

961a214e56ea6598d7989f94ba15704fe5eecee19df6e5b029d7aa9518f0f7baa1f2ed102143bba0ec52959163c120b091a7e2e2e4e0d947f9eb50764c8517cb
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHdGeqc4SUqUGeqc4SUy:yBs7Br5xjL8AgA71Fbhva4S04St

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4718) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	ce45c4f43c72f45a57b5b9a78a59ab40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce45c4f43c72f45a57b5b9a78a59ab40N.exe

C:\Users\Admin\AppData\Local\Temp\ce45c4f43c72f45a57b5b9a78a59ab40N.exe
"C:\Users\Admin\AppData\Local\Temp\ce45c4f43c72f45a57b5b9a78a59ab40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
38KB

MD5
9a859396ac6826e0f60d45ef7ea90f48

SHA1
45f5f544681c5adb3f81f92d5aee1b38a6dc8e31

SHA256
54a84ec9433f0ed7b37805d77a1832d372711b00a54b5d931d25ef61185437df

SHA512
c2d73aba72d4171f536a627c495db16ecedb152a1409bb6d84ead0f053d294a25ae0e96ced945881550d4f1d170aebf5fb9ebed9ac3ee4a2ac04ca7fca5752f1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
8e4474929afe6fd851268afc44764eab

SHA1
d138ca92b1a28424c44abe08011a949a9d35d009

SHA256
b58f1ecfe9c6d4701d8129f1491a15451a9185e65a6908f91aefed3b689a7822

SHA512
b02f6a95756eda19269811aecdfe9676ff4ce8cd62473a797f36c0d7158c6438178f96fe7e9fa48818e528b46f4609ae86f7b74ca863433efa6b8e2a5aabf58d

Download Submit
memory/412-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/412-1008-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download